Tune Down The Noise: How To Effectively Tune Your SIEM

10/30/19 8:48 AM |
by RedLegg Blog

Security Information and Event Management (SIEM) platforms play a critical role in real-time response to threat monitoring and event correlation. By collecting, analyzing, and reporting log data and event data, CISOs and IT professionals can identify tends risks, misconfigurations, and potentially malicious activity.

Many companies turn to Managed Security Service Providers (MSSP) to deploy and implement their SIEM. Real-time threat intelligence and event correlation can help eliminate blind spots and alert your IT security staff when action is necessary.

However, just bringing in a managed service provider isn’t enough. Even though you are counting on 24x7x365 monitoring from your MSSP, your security will only be as good as the event tuning.

What Is SIEM Tuning?

One of the first things you will notice when your SIEM deployment is created and all of your hosts are successfully sending their logs to the SIEM is the sheer volume of log and event data available to you. It can become overwhelming without spending time to understand the context and value from each of the log sources and leverage configuration with the SIEM to control the amount of data presented to you.

This is considered “tuning” your SIEM. The goal is to make sure the most important data is presented to you based on the value and confidence of the log type and the use cases you have in place.

Why You Would Want To Tune/Retune Your SIEM

As stated above in an untuned environment you may find yourself drowning in data. This can make it difficult to discern important events from ordinary ones.

Such was the case when attackers accessed data from 70 million Target customers on Point of Sale (POS) systems. According to CSOOnline, SIEM monitoring software caught the initial intrusion and reported it to the company. The alert was overlooked because of the volume of data and the false positives that had been noted previously. In fact, some of the company’s network monitoring alerts may have been disabled because of the number of false positives it had received.

In a survey of C-level Security Executives, more than a third reported receiving more than 10,000 security alerts as part of their cybersecurity monitoring each month. More than half of the alerts were false positives and 64% were redundant alerts. Because many companies manually review these alerts, it’s easy to see how even important alerts might be overlooked.

A Cisco survey of large companies determined that 44% of organizations were seeing an average of 5,000 alerts daily. Due to constraints and staffing, less than 60% of the alerts were investigated. Even though 28% of the alerts were cited as legitimate concerns to information security, fewer than half of them were remediated.

Tuning (and retuning) is a way to cut down on irrelevant alerts, duplicate alerts, and false positives. Alerts without context and priority levels are also difficult to focus on.

Ways to Effectively Tune/Retune Your SIEM

If you outsource to a Managed Security Services Provider (MSSP), you will want to review how that team interfaces with your infrastructure.

1. Review your rules and alert configurations regularly.

Infrastructure environments never stay static for long. They are always evolving as time goes by: new endpoints, subnets, technology, types of data, and compliance requirements are also being added, changed, or taken out of service. It is important to always be retiring decommissioned hosts and adding new hosts to the SIEM as your network footprint changes.

It can be helpful to perform periodic audits of your environment and make sure all of the critical hosts are at least logging to your SIEM so that their logs are being monitored.

2. Consider your current risks vs your initial tuning.

It’s not just your systems that may need some adjustment. The threat landscape may have changed as well. Pay particular attention to third-party and cloud-based connections as new points of attack.

Review threat intelligence feeds regularly and retune when necessary. After all, your SIEM is only as good as the data you use.

Understanding the risk vectors for your environment and building those use cases into your SIEM is critical to reducing blind spots in your security.

3. Reduce alerts wherever possible.

What information security alerts do you really care about? Can you eliminate some of the low-level threats or alerts you routinely ignore?

Alert fatigue is no joke. The more you can weed out alerts you don’t act upon, the more high-value alerts will garner your attention.

4. Determine your baselines.

It’s important to revisit behavioral baselines for users and systems. As systems change, behaviors will evolve as well. If you are using SOAR (Security Automation, Orchestration, and Response), you will want to update your baselines so that you won’t have false positives.

5. Reconsider the behaviors you’re monitoring.

You should also examine whether you are monitoring the right behaviors and have alerts in place when unusual activity takes place.

6. Inventory new apps and privilege changes.

Apps come and go. Update your SIEM to monitor apps that are currently on your system and delete monitoring for apps that are no longer in use.

Team members come and go as well. Some leave the company while others may get promoted. Monitor changes to privileges for team members. Make sure privileges are only granted for the level of access needed to avoid privilege escalation attacks. Add alerts when users attempt to change or alter privileges.

7. Ask your analysts what needs to be changed.

Analysts look at data every day. They can tell you which alerts they routinely ignore and which ones they pay attention to. Retune your systems to weed out irrelevant and duplicative alerts.

8. Create new alerts to cover blind spots to add value to monitoring.

When tuning out false positives, it’s easy to create blind spots if you’re not careful. New alerts should only be added if you can determine they create additional value. In other words, don’t bother monitoring things you don’t care about or aren’t going to be acted upon.

9. Adjust critical escalation levels for priority alerts.

You should also tweak critical escalation levels for priority alerts. As your systems have likely changed since your SIEM was initially configured, escalation levels for priority alerts need to be adjusted as well.

Some MSSPs will forward an alarm regardless of priority levels and allow end-users to determine the proper course of action. This can mean important alerts get lost in the data. Regularly retune your SIEM to give priority to high-level alerts which may change over time.

10. Always apply patches and updates ASAP.

Don’t forget to pay attention to any application updates for the SIEM that have been released. You always want to apply patches as soon as possible to avoid zero-day attacks that can pass through threat detection solutions.

Tuning And Retuning Your SIEM

Your SIEM solution is there to detect security incidents in real-time while organizing and managing your security logs in one place. Tuning and retuning can keep your SIEM healthy and working as intended.

New hardware, software, and apps are being added regularly. New types of data may be added. New people may require access or new privileges. Things rarely stay the same for long.

Make sure you are receiving the right alerts with the right escalation levels. Tune out the noise and reduce false alerts. Review baselines and behaviors. As your organization evolves, you need to return to mark sure your configuration reflects your current environment.

Don’t expose your organization to unnecessary risks. Just as you go to the doctor for regular checkups, give your SIEM regular tune-ups and take corrective action to ensure your cybersecurity posture is strong.

Looking for your next step? Learn more about this free SIEM Architecture Review or review how co-managed SIEM can help your team.